Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 26, 2021, 7:02 a.m.	July 26, 2021, 7:05 a.m.

Size	12.3KB
Type	ASCII text, with very long lines
MD5	`aadd4493653c7fd747dba3d0a9ffb7ca`
SHA256	`949459b7a671b98805de07ef4bfe85e9ddab2eb6c7502393b32b17ba9bc7403e`
CRC32	`0E98CFBC`
ssdeep	`192:dk0prayx1B7Ahrkmg29u29sQ2+GOWAVmuscZu9O7y:d/h7B7Ahwmg29u2rZq`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "NVnCbFcGVRJBN" C:\Users\test22\AppData\Local\Temp\play.js.wakeups_resource-2021-07-23-212955.ips
1604
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\play.js.wakeups_resource-2021-07-23-212955.ips
  2172
  - AcroRd32.exe "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\test22\AppData\Local\Temp\play.js.wakeups_resource-2021-07-23-212955.ips"
    2432
    - Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
      2972
    - Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
      2328
explorer.exe C:\Windows\Explorer.EXE
1248

Name	Response	Post-Analysis Lookup
swupmf.adobe.com	CNAME ssl.adobe.com.edgekey.net CNAME e4578.dscb.akamaiedge.net A 23.35.221.25	23.50.1.229

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.35.221.25	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 26, 2021, 6:55 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 26, 2021, 6:55 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 26, 2021, 7:02 a.m.			0	0
IsDebuggerPresent July 26, 2021, 7:03 a.m.			0	0
IsDebuggerPresent July 26, 2021, 7:03 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2021, 7:03 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
request	GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x767a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72091000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:02 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72093000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2021, 6:56 a.m.	process_identifier: 1248 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:03 a.m.	process_identifier: 2432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d13000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2021, 7:04 a.m.	process_identifier: 2328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d72000 process_handle: 0xffffffff	1

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 26, 2021, 6:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:55 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW July 26, 2021, 6:56 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US

play.js.wakeups_resource-2021-07-23-212955.ips

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All